Managing and securing a large number of Windows PCs within an enterprise can be complicated and time-consuming. For $11 per PC/month, the second-generation of Microsoft’s hosted Windows Intune service offers businesses centralized PC management and security without any dedicated on-site resources. Intune’s cloud-based management repertoire sports a wide range of features, including operating system update management, malware protection , software distribution, and remote assistance for far-flung users.

Intune works on all flavors of XP, Vista, and Windows 7

To manage a PC via Intune you must first install the client software, which consists of a dozen individual pieces of software but has a unified installation wizard. The client works with the Professional/Business, Enterprise, or Ultimate flavors of Windows 7, Vista, and XP (32 or 64 bit) and it supports virtual machines (VMs) as well as physical PCs. We successfully tested it on both.

It’s worth noting that Intune confers upgrade rights to Windows 7 Enterprise. This may be of particular interest to organizations still running XP; support for which (finally) goes dark in just under two years on April 8, 2014.

You can deploy the Intune client manually, or else use Group Policy or another method of automatic software distribution. PCs need not be domain members in order to be managed via Intune so it’s also suitable telecommuters, mobile employees, outside contractors, etc. Microsoft says that up to 5,000 PCs can be managed from a single Intune account.

Browser based management console

Windows Intune administration chores are handled through a browser-based management console (Silverlight support is required). Within several minutes of receiving the client software, PCs appear in the Intune console as unassigned computers. From there they can be easily organized into groups.

Managed PCs can be members of multiple groups, which gives administrators the ability to organize them in several ways, e.g. by both physical location and departmentally. (Because Intune doesn’t currently integrate with Active Directory, it won’t pick up an existing organizational structure.)

Because Intune would benefit from integrating with the Active Directory and Group Policy that most enterprises already have in place, Microsoft made available a pre-release version of the next version of Intune last month. This version promises Active Directory integration and other enhancements including support Android, iOS, and Windows Phone smartphones and tablets.

Intune allows an account owner to delegate control by creating additional administrator accounts. Extra admins (all admin accounts must be associated with a Windows Live ID) can have either unrestricted or read-only access. In the latter case, they’re limited to viewing console data and creating reports.

From the administrative console, you can browse the (frequently extensive) list available Windows updates that are on offer, and approve or decline them for distribution to managed PCs. Admins can also monitor a PC’s update status, view hardware and software inventories, check for malware (the Intune client integrates anti-malware software based on Microsoft’s Forefront Endpoint Protection 2010), restart a system, and apply policies that govern firewall settings, endpoint protection scan options, and how PCs receive and process OS updates.

Intune policies are much more limited in scope than what you get with Group Policy, and when group policy settings conflict with Intune policies, the former takes precedence.

Software deployment and remote assistance

A helpful feature of Intune is the ability to store corporate applications in the cloud and then automate their deployment to managed PCs. Intune includes 20 gigabytes (GB) of online storage, though you can buy additional storage in 1 GB increments. By default, software deployments are scheduled to take place at midnight, but they can be pushed up or back as needed.

Intune’s software deployment worked equally well for both Microsoft and third-party apps, but uninstalling deployed apps via Intune is only possible when the program’s MSI package supports silent uninstalls. Similarly, Intune doesn’t offer a way to uninstall software that was installed on a PC locally.

Users of managed PCs can get remote assistance (RA) by issuing a request from within the Intune client. Administrators can receive assistance request alerts via e-mail and respond to them from the Intune console. Intune uses Microsoft’s LiveMeeting service to set up the RA connection, so interference from firewalls isn’t an issue (the helper’s PC must have the company’s EasyAssist software installed, however).

On the down side, remote assistance conducted through Intune must be initiated by the user since there’s no way for an administrator to proactively connect to a managed PC.

Pricing

At $11 per PC/month Windows Intune price tag is significant, even considering its extensive capabilities (it also provides license management and reporting features) and the included Windows 7 Enterprise upgrade rights.

Microsoft says its Software Assurance customers will receive a price break so they’re not paying twice for the upgrade rights. You should note, however, that Intune is billed monthly but the subscription term is annual. A 30-day trial of the product is available, which is limited to 25 PCs and is limited to 2 GB of online storage. In most cases, trial configurations can be converted into paid subscriptions.

Conclusion

Windows Intune is worthy of a look for taking PC management features that are typically strewn across multiple areas or third-party products and consolidating them into a single and simple cloud-based system.

Joseph Moran is a veteran technology writer and co-author of Getting StartED with Windows 7 from Friends of Ed.